Data Link Layer Security & Network Layer Security Lecture 3 Asst.Prof. Supakorn Kungpisdan, Ph.D....

Data Link Layer Security &Network Layer Security

Lecture 3Asst.Prof. Supakorn Kungpisdan, Ph.D.

[email protected]

NETE4630: Advanced Network Security and Implementation 2

Roadmap

Data-link Layer Security Network Layer Security


Task: MAC Address Spoofing

What is MAC address spoofing? What is its purpose? Suggest a way to perform an attack using MAC spoofing Explain how it works Suggest how to prevent MAC Address Spoofing


Passive Sniffing

Monitor incoming packets Rely on a feature of network cards called promiscuous mode A network card will pass all packets on to the operating system,

rather than just those unicast or broadcast to the host It only listens to incoming packets, but not transmits any packets Does not work well in a switched network The attacker can sniff traffic within his/her VLAN


Active Sniffing

Inject packets into the network that causes traffic that should not be sent to your system, to be sent to your system

Active wireless sniffing involves sending out multiple network probes to identify APs


ARP Poisoning

Active or passive sniffing?


ARP Poisoning (cont.)

By spoofing the default gateway’s IP address, all hosts on the subnet will route through the attacker’s machine Need to poison ARP cache of every host on the subnet Better if targeting a single host on the network Should not spoof the IP of another client. Why?

To perform ARP poisoning, # arp –s <victim IP> <our MAC address> pub


ARP Flooding Aka. CAM (Content Addressable Memory) Table Overflow CAM stores information about MAC addresses available on each

physical port and their associated VLAN parameters CAM is a normal memory limited in size Flood huge ARP Request to switch The switch is too busy to enforce its port security and broadcasts all

traffic to every port in the network Thus making possible a MITM attack – the attacker can start sniffing

network traffic


DHCP


DHCP Starvation Attack

Consuming the IP address space allocated by a DHCP server

Attacker broadcasts a large number of DHCP requests using spoofed MAC addresses

The DHCP server will lease its IP addresses one by one to the attacker until it runs out of available IPs for new, normal clients

Lead to DoS


Rogue DHCP Server

Set up a rogue DHCP server serving clients with false details E.g. giving them its own IP as default router Result in all the traffic passing through the attacker’s computer

Rogue DHCP server can be set up even without DHCP starvation attack, as clients accept the first DHCPOFFER they receive


Preventing DHCP Attacks

Port security: do not allow more than X MAC addresses on one port

Rogue DHCP is more difficult to prevent “Authentication for DHCP Messages” (RFC3118) DHCP snooping filters DHCP messages from non-trusted hosts

It contains database of trusted and untrusted interfaces

DHCP Snooping

An untrusted interface : interface configured to receive messages from outside the network or firewall

A trusted interface : interface configured to receive only messages from within the network

An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network



DHCP Snooping (cont.)

DHCP snooping acts like a firewall between untrusted hosts and DHCP servers.

DHCP snooping filters untrusted DHCP messages and by building and maintaining a DHCP snooping binding table

DHCP snooping binding table contains : MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch


DHCP Snooping (cont.)

If the DHCPOFFER came from an untrusted interface, the switch shuts down the port

The switch trusts the interface to which the authorized DHCP server is connected (trusted interface)


Enabling DHCP Snooping

Int GigabitEthernet 5/1 is trustedInt GigabitEthernet 2/1 is untrusted


Dynamic ARP Inspection (DAI) DAI validates ARP packets in a network based on IP-to-MAC

address bindings stored in a trusted database, the DHCP snooping binding database

DAI checks IP-to-MAC binding from DHCP snooping DB It intercepts, log, and discards ARP packets with invalid IP-to-MAC

address bindings. It checks only inbound packets

How DAI Works

The switch performs these activities:1. Intercepts all ARP requests and responses on untrusted ports

2. Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination

3. Drops invalid packets


DAI (cont.)


http://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=8

DAI In Actions


DAI in DHCP Environment

DAI relies on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings.

Configure each secure interface as trusted using the ip arp inspection trust interface configuration command.

The trusted interfaces bypass the ARP inspection validation checks, and all other packets are subject to inspection when they arrive on untrusted interfaces.

Switch(config)# interface GigabitEthernet1/0/1 Switch(config-if)# ip arp inspection trust

Switch(config)# ip arp inspection vlan 5-10



DAI in non-DHCP Environment

DAI replies on user-configured ARP access control lists (ACLs) for hosts with statically configured IP addressesSwitch(config)# arp access-list arpacl

Switch(config-arp-acl)# permit ip host 10.1.1.11 mac host 0011.0011.0011

Switch(config-arp-acl)# exit

Switch(config)# ip arp inspection filter arpacl vlan 5 Switch(config)# interface GigabitEthernet1/0/2 Switch(config-if)# no ip arp inspection trust

If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks


DAI Steps

1. By default, all interfaces are untrusted2. The switch does not check ARP packets that it receives

from the other switch in the trusted interface3. For untrusted interfaces,

1. the switch intercepts all ARP requests and responses. 2. It verifies that the intercepted packets have valid IP-to-MAC

address bindings. Firstly it checks from ARP access control list If no such ACL, check from DHCP snooping database


Routing Games

One method to ensure that all traffic on a network will pass through your host is to change the routing table of the host you wish to monitor

Sending a fake route advertisement via the RIP, declaring yourself as the default gateway

All outbound traffic will pass though your host then go to the real default gateway

But may not receive returned traffic unless you can modify the default gateway’s routing table

Network Layer Security

Supakorn Kungpisdan, [email protected]

Overview


IP Packet Format

IP Header Length

(IPID)


Overview

IP, ICMP, and Routing protocols IP is connectionless, subjected to DoS ICMP can be used by attackers Routing protocols are subjected to stack attacks


IP Attacks

Spoofing Fragmentation Passive and Active Fingerprinting Port Scanning Redirection

IP Spoofing

Local Spoofing Attacker and victim are on the

same subnet Attacker begins with sniffing

traffic, find key pieces of information needed to launch an attack

Session hijacking is another spoofing technique. The attack starts at transport

layer

Blind Spoofing Attacker is not on the same

local subnet as victim Many pieces of information

needed to be successful are not available. The key parameters must be guessed

Most modern OSes use fairly random sequence numbers making the attack difficult to launch



Fragmentation

Fragmentation is required when transmitting packets to different networks that have different MTUs

The idea is to send different data streams to each device

IP Fragmentation


Fragmentation is required when transmitting packets to different networks that have different MTUs


Evasion Attack

Evasion attack: sends packets to an IDS and target that will be rejected by the IDS and accepted by the target. IDS drops and does not check the packet payload

An attacker sends the first fragment to an IDS that has a fragmentation timeout of 15 s, while target system has a timeout of 30 s

Attacker waits more than 15 s but less than 30 s before sending the 2nd fragment. The IDS discards the second (inc. the first) segment because the timeout reaches However, the target system accepts the second fragment (within the timeout) Thus, the IDS will not record this attack

#2 #1

#1

15 s

#2

30 s


Fragmentation Attacks

Overlapping fragmentation can offer an attacker a means of slipping packets past an IDS and firewall

Sending a packet passing a cisco router to a windows-based system

If receiving a duplicated packet, Cisco router prefers the last fragment, whereas Windows prefers the original fragment


Fragmentation Attacks (cont.)

#1 #2 #3

#1 #2

#2 #3

Windows and router accepts #1 and #2

Attacker modifies #2And transmits #2 and #3

#1 #2 #3Windows keeps

#1 #2 #3Router keeps

Same size, same offset


Fragmentation Attacks (cont.)

An attacker breaks a message into 3 fragments He sends fragment 1 and 2 to both router and windows. Both

accepts the fragments He then sends fragment 2 and 3. The retransmitted fragment 2 is of

the same size and offset as the original fragment but different payload

Windows keeps the original fragment 2 but the router keeps the retransmitted one


Teardrop Attack

Teardrop, targa, NewTear, Nestea Bonk, Boink, TearDrop2, and SynDrop are some of the tools that can crash machines that have a vulnerability in the IP atack

There is a fragmentation bug in the IP stack implementation of some old Linux kernels (2.0), Windows NT, and Windows 95

Sending malformed packets with fragmentation offset value tweaked so that the receiving packets overlap

A reboot solved the problem until the next attack


Fingerprinting

Fingerprinting is the act of using peculiarities of IP, TCP, UDP, and ICMP to determine the operating system

Active VS passive fingerprinting

Active fingerprinting: sends malformed (or non-RFC-compliant) packets to the target. Different OSes response to these packets differently

Nmap


Passive Fingerprinting

Passive fingerprinting: similar concept, but not injecting traffic into the network

Looking at 4 fields TTL value Don’t Fragment bit (DF) Type of Service (TOS) Window size

TTL, DF, and TOS are found in IP header Window size is found in TCP header


Passive Fingerprinting: TTL

A packet has its TTL reduced each time it is passed though a router or when it remains in the routers queue too long

No requirement about the suitable of TTL The attacker may assume that the value observed is less than the

original value (no more than 255)


Passive Fingerprinting: DF and TOS

DF flag is primary method that systems use to determine the PMTUD (Path MTU Discovery) Many older OSes don’t use this feature

TOS can be analyzed to determine the OS Eventhough it is rarely used on the internet, some developers will

set it into a value other than zero to prevent this fingerprinting

PMTUD

Path MTU discovery (PMTUD) is a technique in computer networking for determining the MTU size on the network path between two hosts, usually with the goal of avoiding IP fragmentation

1. Path MTU discovery works by setting the DF (Don't Fragment) option bit in the IP headers of outgoing packets.

2. Any device along the path whose MTU is smaller than the packet will drop it, and send back an ICMP Type 3 Code 4 “Destination Unreachable (Fragmentation Needed and DF was set)" message

3. The ICMP Type 3 Code 4 message contains its MTU, allowing the source host to reduce its assumed path MTU appropriately.

4. The process repeats until the MTU is small enough to traverse the entire path without fragmentation.


PMTUD (cont.)



Passive Fingerprinting: Window Size

TCP Window specifies the amount of data that can be sent without having to receive an acknowledgement Window size should either be as close as possible to the MTU or

should be some multiple of this value Linux 2.0 used a value of 16,384, while version 3 of FreeBSD

used a value of 17,520 The most up-to-date passive fingerprinting tool is p0f


Idle Scan: Open Port


Idle Scan: Close Port


Idle Scan: Limitations

The idle host must truly be idle Not all OSes use an incrementing IPID

Some versions of Linux set IPID to zero or generate a random IPID value

Several message passes need to be performed to validate the results


ICMP Attacks

ICMP helps with logical errors and diagnostics ICMP does not offer authentication Payload is not checked by OS ICMP attacks include using convert channels, echo

attacks, to port scan, traffic redirection, OS fingerprinting, and DoS


Convert Channels

Convert channels offer attackers a way to have a secure communications channel by using allowed services

Convert channels can also work by exploiting flaws or weaknesses in protocols like ICMP, esp. ping

ICMP fields used in ping include: Type, Code, Identifier, Sequence Number, Optional Data


ICMP Format


Convert Channels (cont.)



Some systems like Linux let user add data into the ping# ping –p 2b2b2b415448300 192.168.123.101

will place the modem hang up string into the ping packet Convert channel tools can use ICMP, TCP, or even IGRP. Loki, ICMP Backdoor, 007Shell, B0CK


ICMP Echo Attacks

Flood target with ping traffic and use up all available bandwidth

Smurf exploits ICMP by sending a spoofed ping packet to the broadcast address and has the source address listed as the victim

In 2002, an attacks was launched against core DNS servers. They had ping enabled Results in a large DoS attack that slowed the operation of

primary DNS servers


Port Scanning

ICMP can be of great use to an attacker attempting to discover what ports are open

ICMP is invaluable since there is no response like with TCP

Sending an ICMP packet to a port will get no response if the port is open and will receive an ICMP type 3 code 3 (Destination Unreachable,

Port Unreachable) packet if the port is closed


Port Scanning (cont.)

Type 3 (Destination Unreachable)Code 3 (Port Unreachable)

ICMP Nuke Attacks

Using spoofed addresses, an attacker sends “Time Exceeded” (Type 11) or “Destination Unreachable” (ICMP Type 3) messages to communicating hosts

This results in a DoS attack Check out ICMP Types and Codes


http://www.iana.org/assignments/icmp-parameters

ICMP Redirect Attack

By sending ICMP “redirect” messages, an attacker might force a router to forward packets destined to one host to the attacker’s IP address


Preventing ICMP Redirect Attack

With Linux, we can force the kernel not to accept redirect messages for one or all interfaces

root@router# echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects


ICMP Flood

Ping Flood creates a broadcast storm of pings that overwhelm the target system

Using Linux, one can flood a host using ping –f.

root@router# ping –f 10.10.10.12 –c 1000

The above command floods the host 10.10.10.12 with 1,000 packets


Preventing Ping Flood

Ping flood can be stopped by limiting the number of ICMP echo-request messages with IPTables:

root@router# iptables –A FORWARD –p icmp –icmp-type echo-request –m limit –limit 10/s –j ACCEPT

root@router# iptables –A FORWARD –p icmp –icmp-type echo-request –j DROP


Ping of Death

Ping of Death crashed machines by sending ICMP “echo request” messages in IP packets with larger than the maximum legal length of 65,535 octets, causing a buffer overflow to crash the victim’s device (computer, printer, etc.)



Routing Protocols Attacks

Distance-vector and link-state routing protocols are suffered from attacks especially DoS

RIP is unauthenticated service; it is vulnerable to DoS RIP spoofing works by making fake RIP packets and

sending them to gateways and hosts to change their routes Attacker can also modify the routing information to cause a

redirect through a network, allowing him to sniff passwords or intercept and change date


Preventing Address Spoofing Do not allow traffic with the internal IP address as source that comes

from the internet Log the dropped packets Check out router configuration guide at

http://www.nsa.gov/snac/downloads_all.cfm RIPv1 sends update in cleartext and no authentication RIPv2 has authentication but sends authentication in cleartext Suggest to use OSPF with MD5 authentication Restrict dynamic routing when possible

Task

Research a technique to enhance security of DHCP protocol

Have a presentation on June 26, 2011. 15 minutes per group


Question?

Next weekOSI Security #3

Data Link Layer Security & Network Layer Security Lecture 3 Asst.Prof. Supakorn Kungpisdan, Ph.D....

Documents

Transcript of Data Link Layer Security & Network Layer Security Lecture 3 Asst.Prof. Supakorn Kungpisdan, Ph.D....